CSC 175 Assignment : Data Link Concepts and Experiments Due Wednesday 2/19 Exercises from text book, chapter 2: #1, 2, 5, 6, 18, 39, 42, 45, 46, and 53 - these exercises are to be completed individually, while the lab exercises are for your groups. The lab part of the assignment requires you to configure your Linux system. Be sure you log on as root and coordinate with your team when you do this. Consult instructions on remote login from the "linux installation notes" link. NOTE: THIS ASSIGNMENT REQUIRES YOU TO ACQUIRE CERTAIN BASIC SKILLS THAT WILL BE NEEDED LATER: I WILL ASSUME THAT YOU HAVE THESE SKILLS. ********************************** PRE-LAB SETUP: Before starting this lab, login to your linux box as root and make sure that you're connected to the network. Do a "ping 10.1.0.98" and see if you get a response. Also, make sure you have the tshark program installed (tshark is text-only wireshark). If not, sudo apt-get install tshark ********************************** Some basic commands you should familiarize yourself with: A. "ip link" (also "ifconfig -a"): gives info on each network interface, and their fixed MAC addresses. "ip addr" will also show their assigned IP address. With ip link you can: ip link set up ens1 : activate interface ip link set down ens1 : deactive (bring down) interface ip link set dev ens1 mtu 1000: change the max packet size from default 1500 ip link set dev ens1 address 11:22:33:00:00:aa : change MAC address ip addr - show ip both link-level and ip level info (ip -4 restricts to ipv4). B. arp (also "ip neigh"): controls the address resolution protocol cache. arp -n will display cache. type "man arp" to learn how to use arp. ip neigh can also be used to display the same information. C. "ip route" (also route -n): displays/changes the IP routing table D. ping sends an ICMP probe signal to a host to see if it's alive. Read the man page for ping: 'man ping'. E. netstat -n Show socket activity information. The -n option is used with many commands to display only numerical information, without address resolution. YOU NEED TO ESPECIALLY STUDY 'arp' AND 'ip link' FOR THIS ASSIGNMENT. What does ip link set up dev ens1 do? Look through the online "man" pages for each command. You should also become familiar with the purpose of the following files and directories: * /etc/netplan/99_config.yaml: Contains the TCP/IP settings for your network interfaces. This file was created when you entered the information when installing the OS. But it can be edited here. When the system starts up, it will use this info to configure networking. This file is the configuration file for "netplan" which is a background service that tries to controls networking automatically. This means that the changes made to networking configuration using commands such as ip link, ip addr, etc. are only temporary. You can optionally disable netplan by following some hints found here: https://askubuntu.com/questions/1031709/ubuntu-18-04-switch-back-to-etc-network-interfaces Be warned that I've not tried this myself, and I'm not 100% certain if it fully applies to the latest Ubuntu distro. * /etc/resolv.conf : This file lists the dns nameservers your machine will use. You can change this file temporarily to use different nameservers, which will be reset upon reboot. Under "netplan", this file is a link to /run/systemd/resolve/stub-resolv.conf, which means changes you make to this file may only be temporary. Make sure that the nameserver that you're using is 10.1.0.98 * /proc/sys/net/ipv4/ : This is a directory containing a set of "files" that indicate current system settings. Some of these files a single 0 or 1 flag value. For example, the file /proc/sys/net/ipv4/ip_forward controls whether your system is allowed to forward IP packets - i.e., acts as a router: echo 1 > /proc/sys/net/ipv4/ip_forward : allows your host to route. /etc/init.d/ : This directory contains startup scripts. for example /etc/init.d/networking restart will reset networking services. You can create your own shell scripts that are executed automatically on bootup. Create a file using any editor then make it executable with chmod +x, then execute the command update-rc.d yourscriptfilename defaults How linux starts up is quite complicated, so look at the man page for update-rc.d In the following, by "ens1" I mean your active ethernet interface, which on your machine may also be called "enp9s0". 0. Add a guest account on your server with username guest (sudo adduser guest) Password to be supplied. Some unix commands that concern users are "who", "wall", "mesg" and "write". Become familiar with these commands. 0.1. Use an editor to create the following file: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following content network: {config: disabled} This limits the disruption that "netplan" causes to network configurations, but it doesn't stop it completely. 0.2. Study the ARP protocol and the linux "arp" utility ("man arp"). With arp you can change the MAC-IP address associations in the arp cache with arp -s. Another command you can use for similar purposes is "ip neigh". In particular, "ip neigh flush all" flushes the arp cache. Study the "iproute2" guide posted on the homepage. 1. Learn to use tshark. Here are the basics: (sudo) tshark -i ens1 -w temp.pcap This captures packets and record them in the binary file temp.pcap (sudo) tshark -r temp.pcap -- displays captured packets However, it's more useful to do the following: (sudo) tshark -c 10 -V -i ens1 > temp Running tshark with the -V option (verbose output) always outputs to stdout, so you can capture it in a file called temp, which will be text file that can be read with tail/cat/more, or using an editor. This gives more info including the entire protocol stack of each packet. The -c 10 option limits the capture to 10 packets Other useful options you can use with tshark are: -n (numerical info only) -f "host 10.1.0.3" (only if src/dst ip are from that ip) Look at online documentation for full details. 2. For this part of the assignment, you are to work with a neighboring group. It is a common myth that each computer can only have one ip. IPs are associated with interfaces, not hosts. It is also a myth that each interface can only have one ip. The following command will add 10.1.0.200 as an additional address to your interface: ip addr add 10.1.0.200 dev ens1 or pick another ip, between 201 and 255 type "ip addr" to verify that this address has indeed been added. BEFORE THE NEXT STEP, FLUSH YOUR ARP CACHE! (ip neigh flush all) After doing so, have someone "ping" 10.1.0.200 (you can do this yourself by remotely logging into a guest account). Some systems may not allow you to add this address. Deduce, how a system can discover that an address conflicts with other addresses on the same lan? Can you discover there is a conflicting address somewhere else on the Internet? (not on your LAN). Monitor all traffic with wireshark/tshark. You should see an arp broadcast request for the mac address of 10.1.0.2. Did your host respond to it? Did you get the pings (echo requrests)? 3. Based on your understanding of mac addresses, ip addresses, and ARP, can you give yourself any ip address, such as 147.4.180.112 (one of the adams 204 computers) this way? Can you give yourself this IP if you managed to "steal" the mac address of that actual machine? Why is that possible or not possible? Try it. The mac for the "real" 147.4.180.112 is 4c:cc:6a:f1:84:ff 4. Create the file /etc/ethers that contains the correct MAC address for each host in the "secret" network. The file should have the simple format 40:f2:e9:75:36:81 10.1.0.98 ... 10.1.0.1 ... You need to think of ways to find the MAC address of each "secret" host (including thincrust) This will make our internal network more efficient by eliminating ARP broadcasts. It will also make it more difficult for someone to to spoof us by claiming to be someone else. But it is not foolproof. You can temporarily change the mac address of an interface: ip link set address ab:cd:ef:11:22:33 dev ens1 See if you can hijack someone else temporarily (since your web server only has a self-signed certificate, you should be able to). You can find out if you're being hijacked using arping (apt-get install arping, then do man arping). RESET YOUR IP CONFIG AFTER THE EXCERCISES